How do I Secure API Gateway User Interface Communication?

Edit online

Secure API Gateway UI (web application), one of the API Gateway components in an API Management setup, to enable users to access the API Gateway UI securely over HTTPS. This section explains how to secure API Gateway communication using HTTPS protocol.

You must have API Gateway administrator privileges to perform this operation. Also, ensure that the required client and server certificates are available.

To configure API Gateway user interface for secure communication

  1. Locate the keystore and truststore files in the file system.

    The default keystore and truststore files are available in the Installation_Dir\common\conf folder.

    Note: If you want to use a custom keystore with self-signed certificates, see Creating a Custom Keystore with Self-Signed Certificates for details on how to create a keystore and generate the required self-signed certificate.
  2. Configure the keystore and the HTTPS port on which you want to expose API Gateway UI.
    1. Navigate to Installation_Dir\profiles\IS_default\configuration\com.softwareag.platform.config.propsloader and search for files that begin with the following file name pattern com.softwareag.catalina.connector.https.pid-*.properties. If there are more than one file in the selected folder that match this pattern, then the first file that matches the pattern is selected.
      Note: The file name by default is com.softwareag.catalina.connector.https.pid-apigateway.properties.
    2. Open the file and modify the following properties by providing the keystore, passsword, and port details. 
      keystoreFile=generated_keystore_file_path/https_keystore.jks
port=9073 (https port in which you want to expose webApp)
@secure.keystorePass=password (password used while creating the keystore file)

For details about the configurations, see Software AG Infrastructure Administrator's Guide and https://tomcat.apache.org/tomcat-7.0-doc/config/http.html.

Harden TLS configuration of the API Gateway UI port

To harden the TLS configuration of the API Gateway UI port, perform the following:

  1. Enable TLSv1.2 or TLSv1.3 protocol as follows:
    1. Navigate to Installation_Dir\profiles\IS_default\configuration\com.softwareag.platform.config.propsloader and search for files that begin with the following file name pattern com.softwareag.catalina.connector.https.pid-*.properties. If there are more than one file in the selected folder that match this pattern, then the first file that matches the pattern is selected.
      Note: The file name by default is com.softwareag.catalina.connector.https.pid-apigateway.properties.
    2. Open the file and add the following line to the properties file.
      sslEnabledProtocols=TLSvversion number

      For example, if you want to enable the TLSv1.3 protocol, the sample code is as follows: 

      sslEnabledProtocols=TLSv1.3
  2. Specify a list of secure cipher suites by adding the following line to the above properties file 
    ciphers="List of Secure Cipher_Suites"

    For details about the recommended cipher suites, see the cipher suite recommendation by IANA organization (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml) or webMethods Integration Server Administrator’s Guide

    .
  3. Set the size of Ephemeral Diffie-Hellman Keys to 2048 depending on the configured cipher suites. You can do this by adding the following line to the custom_wrapper.conf file located in the directory SAG_root /profiles/IS_default/configuration: 
    wrapper.java.additional.401=-Djdk.tls.ephemeralDHKeySize=2048

You can verify the resulting TLS configuration using tools such as testTLS.sh that checks for vulnerable TLS configurations.